Configuring System Parameters for an Access Point

Table 1: System Parameters
Data Pane Item	Description
Virtual Controller	This parameter configuration is only applicable for APs that operate in a cluster deployment environment. To configure the virtual controller name and IP address, click edit icon and update the name and IP address. The IP address serves as a static IP address for the multi-AP network. When configured, this IP address is automatically provisioned on a shadow interface on the AP that takes the role of a virtual controller. The AP sends three ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. messages with the static IP address and its MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address to update the network ARP cache. Name—Name of the virtual controller. IP address—IPv4 address configured for the virtual controller. The IPv4 address uses the 0.0.0.0 notation. IPv6 address—IPv6 address configured for the virtual controller. You can configure IPv6 address for the virtual controller only if the Configuring System Parameters for an AP feature is enabled. IPv6 is the latest version of IP that is suitable for large-scale IP networks. IPv6 supports a 128-bit address to allow 2128, or approximately 3.4×1038 addresses while IPv4 supports only 232 addresses. The IP address of the IPv6 host is always represented as eight groups of four hexadecimal digits separated by colons. For example 2001:0db8:0a0b:12f0:0000:0000:0000:0001. However, the IPv6 notation can be abbreviated to compress one or more groups of zeroes or to compress leading or trailing zeroes; for example 2001:db8:a0b:12f0::0:0:1.
Set Country code for group	To configure a country code for the AP at the group level, select the country code from the Set Country code for group drop-down list. By default, no country code is configured for the AP device groups. When a country code is configured for the group, it takes precedence over the country code setting configured t the device level.
Timezone	To configure a time zone, select a time zone from the Timezone drop-down list. If the selected timezone supports DSTDaylight Saving Time. DST is also known as summer time that refers to the practice of advancing clocks, so that evenings have more daylight and mornings have less. Typically clocks are adjusted forward one hour near the start of spring and are adjusted backward in autumn. , the UI displays the "The selected country observes Daylight Savings Time" message.
Preferred Band	Assign a preferred bandBand refers to a specified range of frequencies of electromagnetic radiation. by selecting an appropriate option from the Preferred Band drop-down list. Reboot the AP after modifying the radio profile for changes to take effect.
NTP Server	To facilitate communication between various elements in a network, time synchronization between the elements and across the network is critical. Time synchronization allows you to: Trace and track security gaps, network usage, and troubleshoot network issues. Validate certificates. Map an event on one network element to a corresponding event on another. Maintain accurate time for billing services and similar. NTPNetwork Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. helps obtain the precise time from a server and regulate the local time in each network element. Connectivity to a valid NTP server is required to synchronize the AP clock to set the correct time. If NTP server is not configured in the AP network, an AP reboot may lead to variation in time data. By default, the AP tries to connect to pool.ntp.org to synchronize time. The NTP server can also be provisioned through the DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. option 42. If the NTP server is configured, it takes precedence over the DHCP option 42 provisioned value. The NTP server provisioned through the DHCP option 42 is used if no server is configured. The default server pool.ntp.org is used if no NTP server is configured or provisioned through DHCP option 42. To configure an NTP server, enter the IP address or the URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. of the NTP server and reboot the AP to apply the configuration changes.
Virtual Controller Netmask Virtual Controller Virtual Controller DNS Virtual Controller VLAN	This parameter configuration is only applicable for APs that operate in a cluster deployment environment. The IP configured for the virtual controller can be in the same subnetSubnet is the logical division of an IP network. as AP or can be in a different subnet. Ensure that you configure the virtual controller VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., controller, and subnet mask details only if the virtual controller IP is in a different subnet. Ensure that virtual controller VLAN is not the same as native VLAN of the AP.
DHCP Option 82 XML	The DHCP Option 82 XML is not applicable for cloud APs. DHCP Option 82 XML can be customized to cater to the requirements of any ISPInternet Service Provider. An ISP is an organization that provides services for accessing and using the Internet. using the conductor AP. To facilitate customization using a XMLExtensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. definition, multiple parameters for Circuit ID and Remote ID options of DHCP Option 82 XML are introduced. The XML file is used as the input and is validated against an XSD file in the conductor AP. The format in the XML file is parsed and stored in the DHCP relay which is used to insert Option 82 related values in the DHCP request packets sent from the client to the server. From the drop-down list, select one of the following XML files: default_dhcpopt82_1.xml default_dhcpopt82_2.xml For more information, see Configuring DHCP Scopes on IAPs.
Dynamic CPU Utilization	APs perform various functions such as wired and wireless client connectivity and traffic flows, wireless security, network management, and location tracking. If an AP is overloaded, prioritize the platform resources across different functions. Typically, the APs manage resources automatically in real time. However, under special circumstances, if dynamic resource management needs to be enforced or disabled altogether, the dynamic CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. management feature settings can be modified. To configure dynamic CPU management, select any of the following options from Dynamic CPU Utilization. Automatic—When selected, the CPU management is enabled or disabled automatically during run-time. This decision is based on real time load calculations taking into account all different functions that the CPU needs to perform. This is the default and recommended option. Always Disabled in all APs—When selected, this setting disables CPU management on all APs, typically for small networks. This setting protects user experience. Always Enabled in all APs—When selected, the client and network management functions are protected. This setting helps in large networks with high client density.
Auto-Join Mode	When enabled, APs can automatically discover the virtual controller and join the network. The Auto-Join Mode feature is enabled by default.
APs allowed for Auto-Join Mode	Displays the number of APs allowed for Auto-Join Mode. Click View Allowed APs to view the details of AP allowed for Auto-Join mode. Click Hide Allowed APs to hide the details of AP allowed for Auto-Join mode. When Auto-Join Mode is enabled, the APs are automatically discovered and are allowed to join the cluster. When the Auto-Join Mode is disabled on the AP, the list of allowed APs on Aruba Central may not be synchronized or up-to-date. In such cases, you can manually add a list of APs that can join the AP cluster in the Aruba Central UI. To manually add the list of allowed AP devices, complete the following steps: Under View Allowed APs, click + in the Allowed APs pane. In the Add Allowed AP window, enter the MAC address of the AP in the MAC Address field. Click Save.
Allow IPv6 Management	Enables IPv6 address configuration for the virtual controller. You can configure an IPv6 address for a virtual controller IP only when Allow IPv6 Management feature is enabled.
Uplink switch native VLAN	Allows you to specify a VLAN ID, to prevent the AP from sending tagged frames for clients connected on the SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. that uses the same VLAN as the native VLAN of the switch. By default, the AP considers the native VLAN of the upstream switch, to which it is connected, as the VLAN ID 1.
Terminal Access	When enabled, the users can access the AP CLI through SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. .
Login Session Timeout	Allows you to set a timeout for login session.
Console Access	When enabled, the users can access AP through the console port.
WebUI Access	If an AP is connected to Aruba Central, you can use this option to disable AP Web UI access and any communication via HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. or SSH. If you enable this feature, you can manage the AP only from Aruba Central.
Telnet Server	When enabled, the users can start a Telnet session with the AP CLI.
LED Display	Enables or disables the LEDLight Emitting Diode. LED is a semiconductor light source that emits light when an electric current passes through it. display for all APs in a cluster. The LED display is always enabled during the AP reboot.
Extended SSID	Extended SSID is enabled by default in the factory default settings of APs. This disables mesh in the factory default settings. NOTE: For AP devices that support Aruba InstantOS 8.4.0.0 firmware versions and above, you can configure up to 14 SSIDs. By enabling Extended SSID, you can create up to 16 networks.
Advanced Zone	Turn on the Advanced Zone toggle switch to enable the advance zone. When the advanced-zone feature is enabled and a zone is already configured with 16 SSIDs, ensure to remove the zone from two WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID profiles if you want to disable extended SSID.
Deny Inter User Bridging	If you have security and traffic management policies defined in upstream devices, you can disable bridging traffic between two clients connected to the same AP on the same VLAN. When inter-user bridging is denied, the clients can connect to the Internet but cannot communicate with each other, and the bridging traffic between the clients is sent to the upstream device to make the forwarding decision. To disable inter-user bridging, turn off the Deny Inter User Bridging toggle switch.
Deny Local Routing	If you have security and traffic management policies defined in upstream devices, you can disable routing traffic between two clients connected to the same AP on different VLANs. When local routing is disabled, the clients can connect to the Internet but cannot communicate with each other, and the routing traffic between the clients is sent to the upstream device to make the forwarding decision. To disable local routing, move the slider to the right.
Dynamic RADIUS Proxy	If your network has separate RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. authentication servers (local and centralized servers) for user authentication, you may want to enable Dynamic RADIUS proxy to route traffic to a specific RADIUS server. When Dynamic RADIUS proxy is enabled, the IP address of the virtual controller is used for communication with external RADIUS servers. To enable Dynamic RADIUS Proxy, you must configure an IP address for the Virtual Controller and set it as a NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. client in the RADIUS server profile.
Dynamic TACACS Proxy	If you want to route traffic to different TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. servers, enable Dynamic TACACS Proxy. When enabled, the AP cluster uses the IP address of the Virtual Controller for communication with external TACACS servers. If an IP address is not configured for the Virtual Controller, the IP address of the bridge interface is used for communication between the AP and TACACS servers. However, if a VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel exists between the Instant AP and TACACS server, the IP address of the tunnel interface is used.
Cluster Security	This parameter is required to be set only for APs that operate in a cluster deployment environment. Enables or disables the cluster security feature. When enabled, the control plane communication between the AP cluster nodes is secured. The Disallow Non-DTLS Members toggle switch appears. Turn on the toggle switch to allow member APs to join a DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols. enabled cluster. For secure communication between the cluster nodes, the Internet connection must be available, or at least a local NTP server must be configured. After enabling or disabling cluster security, ensure that the configuration is synchronized across all devices in the cluster, and then reboot the cluster. The Disallow Non-DTLS Members feature is only supported in AP devices supporting Aruba InstantOS 8.4.0.0 firmware versions and above.
Low Assurance PKI	Turn on the toggle switch to allow low assurance devices that use non-TPMTrusted Platform Module. TPM is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. chip, in the network. To enable the cluster security feature, turn on the Low Assurance PKI toggle switch. For more information on Low Assurance PKI, refer to Cluster Security section in Aruba Instant User Guide. The Low Assurance PKI toggle switch is supported in AP devices running Aruba InstantOS 6.5.3.0 firmware versions and later.
Mobility Access Switch Integration	Turn on the toggle switch to enable LLDPLink Layer Discovery Protocol. LLDP is a vendor-neutral link layer protocol in the Internet Protocol suite used by network devices for advertising their identity, capabilities, and neighbors on an IEEE 802 local area network, which is principally a wired Ethernet. protocol for Mobility Access Switch integration. With this protocol, APs can instruct the switch to turn off ports where rogue access points are connected, as well as take actions such as increasing PoEPower over Ethernet. PoE is a technology for wired Ethernet LANs to carry electric power required for the device in the data cables. The IEEE 802.3af PoE standard provides up to 15.4 W of power on each port. priority and automatically configuring VLANs on ports where APs are connected.
URL Visibility	Turn on the toggle switch to enable URL data logging for client HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. and HTTPS sessions and allows APs to extract URL information and periodically log them on ALEAnalytics and Location Engine. ALE gives visibility into everything the wireless network knows. This enables customers and partners to gain a wealth of information about the people on their premises. This can be very important for many different verticals and use cases. ALE includes a location engine that calculates associated and unassociated device location periodically using context streams, including RSSI readings, from WLAN controllers or Instant clusters. for DPIDeep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network. and application analytics.

Virtual Controller

This parameter configuration is only applicable for APs that operate in a cluster deployment environment.

To configure the virtual controller name and IP address, click edit icon and update the name and IP address. The IP address serves as a static IP address for the multi-AP network. When configured, this IP address is automatically provisioned on a shadow interface on the AP that takes the role of a virtual controller. The AP sends three ARPAddress Resolution Protocol. ARP is used for mapping IP network address to the hardware MAC address of a device. messages with the static IP address and its MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address to update the network ARP cache.

Name—Name of the virtual controller.
IP address—IPv4 address configured for the virtual controller. The IPv4 address uses the 0.0.0.0 notation.
IPv6 address—IPv6 address configured for the virtual controller. You can configure IPv6 address for the virtual controller only if the Configuring System Parameters for an AP feature is enabled.

IPv6 is the latest version of IP that is suitable for large-scale IP networks. IPv6 supports a 128-bit address to allow 2128, or approximately 3.4×1038 addresses while IPv4 supports only 232 addresses.

The IP address of the IPv6 host is always represented as eight groups of four hexadecimal digits separated by colons. For example 2001:0db8:0a0b:12f0:0000:0000:0000:0001. However, the IPv6 notation can be abbreviated to compress one or more groups of zeroes or to compress leading or trailing zeroes; for example 2001:db8:a0b:12f0::0:0:1.

Set Country code for group

To configure a country code for the AP at the group level, select the country code from the Set Country code for group drop-down list. By default, no country code is configured for the AP device groups.

When a country code is configured for the group, it takes precedence over the country code setting configured t the device level.

Timezone

To configure a time zone, select a time zone from the Timezone drop-down list.

If the selected timezone supports DSTDaylight Saving Time. DST is also known as summer time that refers to the practice of advancing clocks, so that evenings have more daylight and mornings have less. Typically clocks are adjusted forward one hour near the start of spring and are adjusted backward in autumn. , the UI displays the "The selected country observes Daylight Savings Time" message.

Preferred Band

Assign a preferred bandBand refers to a specified range of frequencies of electromagnetic radiation. by selecting an appropriate option from the Preferred Band drop-down list.

Reboot the AP after modifying the radio profile for changes to take effect.

NTP Server

To facilitate communication between various elements in a network, time synchronization between the elements and across the network is critical. Time synchronization allows you to:

Trace and track security gaps, network usage, and troubleshoot network issues.
Validate certificates.
Map an event on one network element to a corresponding event on another.
Maintain accurate time for billing services and similar.
NTPNetwork Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. helps obtain the precise time from a server and regulate the local time in each network element. Connectivity to a valid NTP server is required to synchronize the AP clock to set the correct time. If NTP server is not configured in the AP network, an AP reboot may lead to variation in time data.

By default, the AP tries to connect to pool.ntp.org to synchronize time. The NTP server can also be provisioned through the DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network. option 42. If the NTP server is configured, it takes precedence over the DHCP option 42 provisioned value. The NTP server provisioned through the DHCP option 42 is used if no server is configured. The default server pool.ntp.org is used if no NTP server is configured or provisioned through DHCP option 42.

To configure an NTP server, enter the IP address or the URLUniform Resource Locator. URL is a global address used for locating web resources on the Internet. of the NTP server and reboot the AP to apply the configuration changes.

Virtual Controller Netmask

Virtual Controller

Virtual Controller DNS

Virtual Controller VLAN

This parameter configuration is only applicable for APs that operate in a cluster deployment environment.

The IP configured for the virtual controller can be in the same subnetSubnet is the logical division of an IP network. as AP or can be in a different subnet. Ensure that you configure the virtual controller VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., controller, and subnet mask details only if the virtual controller IP is in a different subnet.

Ensure that virtual controller VLAN is not the same as native VLAN of the AP.

DHCP Option 82 XML

The DHCP Option 82 XML is not applicable for cloud APs.

DHCP Option 82 XML can be customized to cater to the requirements of any ISPInternet Service Provider. An ISP is an organization that provides services for accessing and using the Internet. using the conductor AP. To facilitate customization using a XMLExtensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. definition, multiple parameters for Circuit ID and Remote ID options of DHCP Option 82 XML are introduced.

The XML file is used as the input and is validated against an XSD file in the conductor AP. The format in the XML file is parsed and stored in the DHCP relay which is used to insert Option 82 related values in the DHCP request packets sent from the client to the server.

From the drop-down list, select one of the following XML files:

default_dhcpopt82_1.xml
default_dhcpopt82_2.xml

For more information, see Configuring DHCP Scopes on IAPs.

Dynamic CPU Utilization

APs perform various functions such as wired and wireless client connectivity and traffic flows, wireless security, network management, and location tracking. If an AP is overloaded, prioritize the platform resources across different functions. Typically, the APs manage resources automatically in real time. However, under special circumstances, if dynamic resource management needs to be enforced or disabled altogether, the dynamic CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. management feature settings can be modified.

To configure dynamic CPU management, select any of the following options from Dynamic CPU Utilization.

Automatic—When selected, the CPU management is enabled or disabled automatically during run-time. This decision is based on real time load calculations taking into account all different functions that the CPU needs to perform. This is the default and recommended option.
Always Disabled in all APs—When selected, this setting disables CPU management on all APs, typically for small networks. This setting protects user experience.
Always Enabled in all APs—When selected, the client and network management functions are protected. This setting helps in large networks with high client density.

Auto-Join Mode

When enabled, APs can automatically discover the virtual controller and join the network. The Auto-Join Mode feature is enabled by default.

APs allowed for Auto-Join Mode

Displays the number of APs allowed for Auto-Join Mode.

Click View Allowed APs to view the details of AP allowed for Auto-Join mode.
Click Hide Allowed APs to hide the details of AP allowed for Auto-Join mode.

When Auto-Join Mode is enabled, the APs are automatically discovered and are allowed to join the cluster. When the Auto-Join Mode is disabled on the AP, the list of allowed APs on Aruba Central may not be synchronized or up-to-date. In such cases, you can manually add a list of APs that can join the AP cluster in the Aruba Central UI.

To manually add the list of allowed AP devices, complete the following steps:

Under View Allowed APs, click + in the Allowed APs pane.
In the Add Allowed AP window, enter the MAC address of the AP in the MAC Address field.
Click Save.

Allow IPv6 Management

Enables IPv6 address configuration for the virtual controller.

You can configure an IPv6 address for a virtual controller IP only when Allow IPv6 Management feature is enabled.

Uplink switch native VLAN

Allows you to specify a VLAN ID, to prevent the AP from sending tagged frames for clients connected on the SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. that uses the same VLAN as the native VLAN of the switch.

By default, the AP considers the native VLAN of the upstream switch, to which it is connected, as the VLAN ID 1.

Terminal Access

When enabled, the users can access the AP CLI through SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. .

Login Session Timeout

Allows you to set a timeout for login session.

Console Access

When enabled, the users can access AP through the console port.

WebUI Access

If an AP is connected to Aruba Central, you can use this option to disable AP Web UI access and any communication via HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. or SSH. If you enable this feature, you can manage the AP only from Aruba Central.

Telnet Server

When enabled, the users can start a Telnet session with the AP CLI.

LED Display

Enables or disables the LEDLight Emitting Diode. LED is a semiconductor light source that emits light when an electric current passes through it. display for all APs in a cluster.

The LED display is always enabled during the AP reboot.

Extended SSID

Extended SSID is enabled by default in the factory default settings of APs. This disables mesh in the factory default settings.

NOTE: For AP devices that support Aruba InstantOS 8.4.0.0 firmware versions and above, you can configure up to 14 SSIDs. By enabling Extended SSID, you can create up to 16 networks.

Advanced Zone

Turn on the Advanced Zone toggle switch to enable the advance zone.

When the advanced-zone feature is enabled and a zone is already configured with 16 SSIDs, ensure to remove the zone from two WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID profiles if you want to disable extended SSID.

Deny Inter User Bridging

If you have security and traffic management policies defined in upstream devices, you can disable bridging traffic between two clients connected to the same AP on the same VLAN. When inter-user bridging is denied, the clients can connect to the Internet but cannot communicate with each other, and the bridging traffic between the clients is sent to the upstream device to make the forwarding decision.

To disable inter-user bridging, turn off the Deny Inter User Bridging toggle switch.

Deny Local Routing

If you have security and traffic management policies defined in upstream devices, you can disable routing traffic between two clients connected to the same AP on different VLANs. When local routing is disabled, the clients can connect to the Internet but cannot communicate with each other, and the routing traffic between the clients is sent to the upstream device to make the forwarding decision.

To disable local routing, move the slider to the right.

Dynamic RADIUS Proxy

If your network has separate RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. authentication servers (local and centralized servers) for user authentication, you may want to enable Dynamic RADIUS proxy to route traffic to a specific RADIUS server. When Dynamic RADIUS proxy is enabled, the IP address of the virtual controller is used for communication with external RADIUS servers.

To enable Dynamic RADIUS Proxy, you must configure an IP address for the Virtual Controller and set it as a NASNetwork Access Server. NAS provides network access to users, such as a wireless AP, network switch, or dial-in terminal server. client in the RADIUS server profile.

Dynamic TACACS Proxy

If you want to route traffic to different TACACSTerminal Access Controller Access Control System. TACACS is a family of protocols that handles remote authentication and related services for network access control through a centralized server. servers, enable Dynamic TACACS Proxy. When enabled, the AP cluster uses the IP address of the Virtual Controller for communication with external TACACS servers.

If an IP address is not configured for the Virtual Controller, the IP address of the bridge interface is used for communication between the AP and TACACS servers. However, if a VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel exists between the Instant AP and TACACS server, the IP address of the tunnel interface is used.

Cluster Security

This parameter is required to be set only for APs that operate in a cluster deployment environment.

Enables or disables the cluster security feature. When enabled, the control plane communication between the AP cluster nodes is secured. The Disallow Non-DTLS Members toggle switch appears. Turn on the toggle switch to allow member APs to join a DTLSDatagram Transport Layer Security. DTLS communications protocol provides communications security for datagram protocols. enabled cluster.

For secure communication between the cluster nodes, the Internet connection must be available, or at least a local NTP server must be configured.

After enabling or disabling cluster security, ensure that the configuration is synchronized across all devices in the cluster, and then reboot the cluster.

The Disallow Non-DTLS Members feature is only supported in AP devices supporting Aruba InstantOS 8.4.0.0 firmware versions and above.

Low Assurance PKI

Turn on the toggle switch to allow low assurance devices that use non-TPMTrusted Platform Module. TPM is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. chip, in the network.

To enable the cluster security feature, turn on the Low Assurance PKI toggle switch. For more information on Low Assurance PKI, refer to Cluster Security section in Aruba Instant User Guide.

The Low Assurance PKI toggle switch is supported in AP devices running Aruba InstantOS 6.5.3.0 firmware versions and later.

Mobility Access Switch Integration

Turn on the toggle switch to enable LLDPLink Layer Discovery Protocol. LLDP is a vendor-neutral link layer protocol in the Internet Protocol suite used by network devices for advertising their identity, capabilities, and neighbors on an IEEE 802 local area network, which is principally a wired Ethernet. protocol for Mobility Access Switch integration. With this protocol, APs can instruct the switch to turn off ports where rogue access points are connected, as well as take actions such as increasing PoEPower over Ethernet. PoE is a technology for wired Ethernet LANs to carry electric power required for the device in the data cables. The IEEE 802.3af PoE standard provides up to 15.4 W of power on each port. priority and automatically configuring VLANs on ports where APs are connected.

URL Visibility

Turn on the toggle switch to enable URL data logging for client HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. and HTTPS sessions and allows APs to extract URL information and periodically log them on ALEAnalytics and Location Engine. ALE gives visibility into everything the wireless network knows. This enables customers and partners to gain a wealth of information about the people on their premises. This can be very important for many different verticals and use cases. ALE includes a location engine that calculates associated and unassociated device location periodically using context streams, including RSSI readings, from WLAN controllers or Instant clusters. for DPIDeep Packet Inspection. DPI is an advanced method of network packet filtering that is used for inspecting data packets exchanged between the devices and systems over a network. DPI functions at the Application layer of the Open Systems Interconnection (OSI) reference model and enables users to identify, categorize, track, reroute, or stop packets passing through a network. and application analytics.

Configuring System Parameters for an AP